A new EU-US deal aimed at protecting transatlantic data flows will still allow the bulk collection of information for national security purposes, European data protection authorities warned Wednesday.
In February, Brussels and Washington agreed in principle on a new system to safeguard private data. Companies in the European Union can freely share personal data only with jurisdictions that provide data privacy protections comparable to the bloc's.
The new deal aims to replace the original Safe Harbor framework with the United States, which the EU's top court struck down last year as insufficient, following revelations in 2013 of mass spying by US intelligence authorities.
Since February, a working group comprising the data protection authorities of the 28 EU member states has been assessing the new arrangement, known as the EU-US Privacy Shield.
The group considers the new setup to be an overall improvement on Safe Harbor, its chairwoman Isabelle Falque-Pierrotin told reporters in Brussels on Wednesday.
However, she expressed concerns that the agreement - which is not yet in place - still grants US authorities the possibility to collect private data in bulk and use it for security, counterterrorism and international crime-fighting purposes.
Random bulk collection of data is "not acceptable," Falque-Pierrotin said, while noting that there is a "growing tendency to collect ever more data on a massive and indiscriminate scale in light of the fight against terrorism."
The privacy watchdogs also expressed concern over the legal avenues for citizens to challenge the collection or use of their data. These are too complex, Falque-Pierrotin said, while also raising questions about the independence of the ombudsperson overseeing the deal.
The European Consumer Organization BEUC called on the European Commission - which is negotiating the new data transfer framework with the United States - to heed the warnings of Europe's data protection authorities.
"The Privacy Shield has as many holes as a Swiss cheese," said Monique Goyens of BEUC. "EU consumers' rights to privacy should not expire once their personal data travels outside the EU but this agreement does nothing to really prevent that from happening."
Officials in Brussels and Washington are still hammering out final details of the Privacy Shield, with member states due to give their assessment next month so the commission can make a final decision in June.
The EU's executive "will work swiftly" to include Wednesday's recommendations in the final agreement, Justice Commissioner Vera Jourova said, adding that she would also issue a "user's guide" on the complaints procedure.
US Federal Trade Commissioner Maureen Ohlhausen expressed hope Wednesday of being one step closer to ratifying the Privacy Shield, stressing its importance to businesses on both sides of the Atlantic.
But speaking to journalists during a visit to Brussels, she also voiced expectation that the deal would face a legal challenge at some point, adding, "I would be surprised if there wasn't."
Max Schrems, the Austrian citizen whose lawsuit against Facebook had brought down Safe Harbor, said that Wednesday's assessment augured well for a similar challenge to the Privacy Shield.
"Privacy Shield is a total failure that is kept alive because of extensive pressure by the US government and some sectors of the industry," Schrems said in a statement.